Privacy Policy
Last updated: July 2026
This Privacy Policy explains how FoodFlow (“we”, “us”) collects, uses, and protects personal data when you use our restaurant management platform. We process personal data in accordance with Thailand’s Personal Data Protection Act (PDPA) and, where applicable, other data protection laws.
1. Data we collect
Account data — name, email address, and password credentials (stored as secure hashes by our authentication provider) when you sign up or are invited as staff.
Business data — the information your restaurant enters to operate: menus, tables, orders, payments records, inventory, staff roles, and settings such as your PromptPay ID and tax ID.
Billing data — subscription and payment method details are collected and processed by Stripe, our payment processor. We store only references (such as customer and subscription identifiers), never full card numbers.
Technical data — log and device information (IP address, browser type, timestamps) used for security and to keep the Service working.
2. How we use data
We use personal data to provide and secure the Service, process subscriptions, send transactional emails (such as sign-up confirmation, password reset, and staff invitations), provide support, and improve the product. We do not sell personal data, and we do not use your restaurant’s business data for advertising.
3. Legal bases
We process data to perform our contract with you (operating the Service), to comply with legal obligations (such as tax and accounting rules), and for legitimate interests such as securing the platform and preventing abuse. Where consent is required, we ask for it and you may withdraw it at any time.
4. Sharing and processors
We share data only with the service providers needed to run FoodFlow: Supabase (database, authentication, and hosting of your data), Stripe (subscription billing), Resend (transactional email), and Vercel (application hosting). Each processes data under its own contractual safeguards. Some providers may store data outside Thailand; where they do, we rely on appropriate protection measures under the PDPA.
5. Your customers’ data
When your restaurant records orders or customer details in FoodFlow, your business is the data controller of that information and we process it on your instructions. You are responsible for informing your customers and handling their requests as required by the PDPA; we provide the tools to view, correct, and delete that data.
6. Retention
We keep account and business data for as long as your account is active. After account deletion, data is removed from production systems within 30 days and from backups within 90 days, except where longer retention is required by law (for example, financial records).
7. Security
Data is encrypted in transit, access is scoped with row-level security so each restaurant can only reach its own records, and staff roles limit what each user can see and change. No system is perfectly secure, but we design for least privilege throughout.
8. Your rights
Under the PDPA you may request access to, correction of, deletion of, or a copy of your personal data, object to or restrict certain processing, and withdraw consent. To exercise these rights, contact us at the address below. You may also lodge a complaint with Thailand’s Personal Data Protection Committee.
9. Changes
We will post any changes to this policy here and update the date above. For material changes we will notify account owners by email.
10. Contact
Data protection inquiries: privacy@foodflowos.com.